Understandably, every employee wants to look good in front of their boss and do a good job at work overall. But this can mislead them into falling for an exceptional form of phishing: the CEO fraud scam. If their boss needs them to complete a task ASAP, your employees are more likely to immediately act on the request without questioning the details.
But the devil’s in the details, so keep reading to discover how your staff can learn to spot all the red flags of CEO fraud.
What is CEO Fraud?
CEO fraud is a complex form of phishing attack that scammers use to trick employees into transferring money or providing confidential company data.
This social engineering technique preys on the trust of the email recipient. Attackers know their way around deceiving people who don’t check email addresses very carefully or fail to notice spelling errors.
How Does It Work?
Cybercriminals will impersonate the company CEO or other executives and require employees, usually in the HR or accounting departments, to send out a wire transfer, updating account data, or providing account information.
Gift card scams are associated with CEO fraud, and they are virtually impossible to trace once they’ve been sent out. However, these phishing attacks might not necessarily be CEO-specific. For example, cybercriminals can pretend to be an HR manager. The employee has even less suspicion when the sender is someone lower in the company and closer to their rank.
Who’s targeted?
The sneaky social engineering techniques and tricks used in this particular type of phishing scam are constantly evolving and changing. However, scammers target seem to target the following categories of individuals and companies prevalently:
- Employees who regularly work with foreign suppliers and companies.
- Businesses that regularly send wire and electronic funds transfers.
- Human resources and payroll departments.
- The elderly and people who have made recent real estate purchases.
- The size of your business, where you operate, or how many employees you have has zero bearing on your risk level for CEO fraud.
Facts and Figures on CEO Fraud
CEO fraud is a $26 billion scam, according to the FBI and Internet Crime Complaint Center (IC3). Between June 2016 and July 2019, the FBI reported more than 166,000 US and international reports of CEO fraud attacks.
The Department of Justice revealed that same day that 281 people were arrested, and $3.7 million was seized in an international cyber fraud crack-down called Operation reWired.
“In unraveling this complex, nationwide identity theft and tax fraud scheme, we discovered that the conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to receive more than $91 million in refunds,” said Chief Don Fort of IRS Criminal Investigation.”
Department of Justice press release
A famous case made headlines in Canada two years ago, when the Treasurer of the City of Ottawa was tricked into wiring over $100,000 to a fraudster’s account who sent her an email impersonating the city manager.
The FBI highlighted that the best way for organizations to stay safe from CEO fraud is by educating their employees on cyber threats and providing them with ongoing security awareness training.
8 Questions Your Employees Shoul Ask Themselves To Prevent CEO Fraud
Before acting on any urgent request from the CEO or other executives, your employees should ask the following questions:
- Has my CEO ever asked me to transfer money to a new account?
- Am I the right person to be handling this type of request? Shouldn’t the CFO or VP of HR be doing this?
- Why can’t the CEO do this themselves? Is there a problem with our network that is preventing our CEO from getting access?
- Is this type of request standard? Have I done this before?
- Can I contact someone at the vendor, bank, or partner that is mentioned in the email?
- Doesn’t this violate our company policy about sharing employee information?
- Is the email address correct? When I click Reply – I need to verify that it’s an actual company email address.
- Is there a phone number in the email signature? If so, call it and double-check the request with the sender
Scammers will often use strong language in their malicious emails, and the timeline to execute the action requested will be short. Sometimes, they’ll even send multiple emails asking when the task will be completed and emphasize the importance and the urgency of this action.
How ATTACK Simulator Can Help
When your employees learn how to read the red flags of a phishing attack, they can take their time to calmly assess the situation and examine all the details the devil may be hiding in which otherwise would go unnoticed. To evaluate your company’s exposure and vulnerability for CEO fraud and any other form of phishing, you can use our free security awareness training trial.
Our phishing simulations will ensure that your employees are exposed to realistic hands-on fake phishing attacks.
Choose ATTACK Simulator’s Security Awareness Training program to keep your company safe from online dangers.
Attribution:
Work illustrations by Storyset
People illustrations by Storyset
Marketing illustrations by Storyset
Feature Image: Abstract vector created by katemangostar – www.freepik.com
